ac970a41db8598dbd7db4b2879dc6185f736ff894fa02ca0d957ff6b0ae414e6

General

Target

0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe
Size

76KB
MD5

0ce0e69ccb9b5c1e856e831c4a663100
SHA1

c3fdc562b16baae8f0538668cbe3c493ad5e6715
SHA256

ac970a41db8598dbd7db4b2879dc6185f736ff894fa02ca0d957ff6b0ae414e6
SHA512

08e055da9ff90848b52d8d5eda184c41e12bdfedae7e6f8bbd67e5f87fbd32befe0deb2d431ddc342d606ae3953f9265b39d81bb26ce40d14dd6d01e004ca904
SSDEEP

1536:MvP69lUyW1UwzJmWRaD1gXI7uMrpzrnacxfzZ1:G69lU2UmWVXI7uMlzTFz7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
202104	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe
203212	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
2884	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe
202104	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe
202104	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe
202104	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe
202104	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe
202104	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/202104-467042-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/202104-467044-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/202104-467047-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/202104-467049-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/202104-467050-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/202104-467092-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Video Driver = "C:\\Users\\Admin\\AppData\\Roaming\\system\\svchost.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2884 set thread context of 202104	2884	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2884	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe
202104	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe
203212	svchost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 202104	2884	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe	30
PID 2884 wrote to memory of 202104	2884	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe	30
PID 2884 wrote to memory of 202104	2884	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe	30
PID 2884 wrote to memory of 202104	2884	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe	30
PID 2884 wrote to memory of 202104	2884	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe	30
PID 2884 wrote to memory of 202104	2884	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe	30
PID 2884 wrote to memory of 202104	2884	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe	30
PID 2884 wrote to memory of 202104	2884	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe	30
PID 202104 wrote to memory of 72408	202104	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe	31
PID 202104 wrote to memory of 72408	202104	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe	31
PID 202104 wrote to memory of 72408	202104	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe	31
PID 202104 wrote to memory of 72408	202104	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe	31
PID 72408 wrote to memory of 72672	72408	cmd.exe	33
PID 72408 wrote to memory of 72672	72408	cmd.exe	33
PID 72408 wrote to memory of 72672	72408	cmd.exe	33
PID 72408 wrote to memory of 72672	72408	cmd.exe	33
PID 202104 wrote to memory of 203212	202104	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe	34
PID 202104 wrote to memory of 203212	202104	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe	34
PID 202104 wrote to memory of 203212	202104	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe	34
PID 202104 wrote to memory of 203212	202104	0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe	34

C:\Users\Admin\AppData\Local\Temp\0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:202104
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\PQMKM.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:72408
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Video Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\svchost.exe" /f
      4⤵
      Adds Run key to start application
      PID:72672
- - C:\Users\Admin\AppData\Roaming\system\svchost.exe
    "C:\Users\Admin\AppData\Roaming\system\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:203212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PQMKM.bat

Filesize
148B

MD5
05d958f804a3cb770b18371699915faf

SHA1
82e91a19f4f23340db8bb5c7d271aa0b590ff723

SHA256
61ae6f17d637624fd66d1dfad93a1c6a863aa7caf67d3e267910f4b9212bdf52

SHA512
3ff7be267167f2c447e9aeef2f5e84785dd45d08a10738b1b4c1b01b21d3ea29e637ede50b1091211b97fd40ae5b2bea54e053200778228ffde852f8a19ce921

Download Submit
\Users\Admin\AppData\Local\Temp\0ce0e69ccb9b5c1e856e831c4a663100_NeikiAnalytics.exe

Filesize
76KB

MD5
0ce0e69ccb9b5c1e856e831c4a663100

SHA1
c3fdc562b16baae8f0538668cbe3c493ad5e6715

SHA256
ac970a41db8598dbd7db4b2879dc6185f736ff894fa02ca0d957ff6b0ae414e6

SHA512
08e055da9ff90848b52d8d5eda184c41e12bdfedae7e6f8bbd67e5f87fbd32befe0deb2d431ddc342d606ae3953f9265b39d81bb26ce40d14dd6d01e004ca904

Download Submit
\Users\Admin\AppData\Roaming\system\svchost.exe

Filesize
76KB

MD5
3c6d35757f261c9782e727ba338ec866

SHA1
481f2fe7679b4e796a55863c48577888e6c25e9d

SHA256
3ec527c5af129a34d2d63d2e3e26525a79da79ea911e142cbbbb6e6673a00a82

SHA512
12c2dbb58abd7607ec5d3b420d3ec26b9aa041d1df2b7124f762a33f0d28b8b27b2620c241beebe4d9c3aee937eb2d083154b9e9adf2960c95eb04479fdf27e1

Download Submit
memory/2884-4-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2884-14-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2884-26-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2884-38-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2884-58-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2884-68-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2884-174-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2884-134610-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2884-2-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/202104-467040-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/202104-467046-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/202104-467047-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/202104-467049-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/202104-467050-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/202104-467044-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/202104-467042-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/202104-467092-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/203212-467095-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/203212-467102-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads